in my reading of the admin guide (section 15.2.5 - .7), mapping of a "username" to a DN is a common configuration, and allows for other functionality. i am trying to use the below Authz RegExp to do the mapping:

olcAuthzRegexp: {0}uid=([^,]+),cn=bpk2.com,cn=gssapi,cn=auth uid=$1,ou=Users,dc=bpk2,dc=com

i am no regex guru, so i dont know if the above is appropriate. if i compare the above to the admin guide, i notice that mine is uid=([^,]+), whereas the docs show uid=([^,]*). the + vs. the * might be an issue. can that be confirmed?

On Sat, Mar 16, 2013 at 2:27 PM, Dan White dwhite@olp.net wrote:

In my experience, authorization is not a standardized concept, even among servers that support sasl, ldap, and/or kerberos authentication.

In general, approaches which are most likely to bear fruit:

unix group membership

Install an ldap nss module on the server, and add objectClass posixGroup to your group entries. Specify "member: <user_id>" for each member of the group. Find out if a given server (such as squid) supports such authorization, either by way of a getgrent system call (such as with openssh), or via some pam group module during authentication.

RADIUS (freeradius ldap backend) ==============================**==

If the server supports radius authentication, then you have flexibility in granting authentication based on an ldap attribute or ldap group membership, by way of it's ldap backend module.

pam ldap module

If the server supports pam authentication, then use an ldap pam module (nssov, pam-nss-ldapd, or pam_ldap) to grant authentication based based on an ldap attribute or ldap group membership.

I'm not aware of a way to grant authorization solely by using kerberos.

-- Dan White